From ecebe4ecd52f2b1438def9190cb52c7f4ea0aa03 Mon Sep 17 00:00:00 2001 From: Pierre Goiffon Date: Wed, 2 Dec 2020 16:55:16 +0100 Subject: [PATCH] =?UTF-8?q?N=C2=B03416=20XFrame=20and=20cache=20headers=20?= =?UTF-8?q?optimizations=20*=20Remove=20XFrame=20header=20set=20in=20\WebP?= =?UTF-8?q?age::no=5Fcache=20:=20not=20this=20method=20responsability,=20w?= =?UTF-8?q?as=20confusing=20:/=20*=20Remove=20no=5Fcache()=20calls=20when?= =?UTF-8?q?=20already=20set=20in=20page=20constructor=20(ajax=5Fpage=20mai?= =?UTF-8?q?nly)=20*=20Also=20calls=20everywhere=20the=20\WebPage::no=5Fcac?= =?UTF-8?q?he=20method=20instead=20of=20setting=20headers=20manually?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- application/ajaxwebpage.class.inc.php | 4 +-- application/csvpage.class.inc.php | 4 +-- application/itopwebpage.class.inc.php | 7 ++--- application/loginwebpage.class.inc.php | 4 +-- application/webpage.class.inc.php | 1 - application/xmlpage.class.inc.php | 4 +-- core/spreadsheetbulkexport.class.inc.php | 4 +-- datamodels/2.x/combodo-db-tools/dbtools.php | 2 +- .../itop-attachments/ajax.itop-attachment.php | 1 - datamodels/2.x/itop-backup/ajax.backup.php | 1 - datamodels/2.x/itop-hub-connector/ajax.php | 1 - .../hubconnectorpage.class.inc.php | 4 +-- pages/ajax.csvimport.php | 1 - pages/ajax.document.php | 1 - pages/ajax.render.php | 7 ++--- pages/ajax.searchform.php | 1 - setup/email.test.php | 11 ++++--- .../TwigBase/Controller/Controller.php | 8 ++--- test/benchmark.php | 15 ++++----- webservices/export.php | 31 +++++++++---------- 20 files changed, 44 insertions(+), 68 deletions(-) diff --git a/application/ajaxwebpage.class.inc.php b/application/ajaxwebpage.class.inc.php index bbe93367d..2c9a61b1f 100644 --- a/application/ajaxwebpage.class.inc.php +++ b/application/ajaxwebpage.class.inc.php @@ -41,9 +41,7 @@ class ajax_page extends WebPage implements iTabbedPage parent::__construct($s_title, $bPrintable); $this->m_sReadyScript = ""; //$this->add_header("Content-type: text/html; charset=utf-8"); - $this->add_header('Cache-control: no-cache, no-store, must-revalidate'); - $this->add_header('Pragma: no-cache'); - $this->add_header('Expires: 0'); + $this->no_cache(); $this->add_xframe_options(); $this->m_oTabs = new TabManager(); $this->sContentType = 'text/html'; diff --git a/application/csvpage.class.inc.php b/application/csvpage.class.inc.php index 9a34dbb53..78ddce6ad 100644 --- a/application/csvpage.class.inc.php +++ b/application/csvpage.class.inc.php @@ -32,9 +32,7 @@ class CSVPage extends WebPage function __construct($s_title) { parent::__construct($s_title); $this->add_header("Content-type: text/plain; charset=".self::PAGES_CHARSET); - $this->add_header('Cache-control: no-cache, no-store, must-revalidate'); - $this->add_header('Pragma: no-cache'); - $this->add_header('Expires: 0'); + $this->no_cache(); $this->add_xframe_options(); //$this->add_header("Content-Transfer-Encoding: binary"); } diff --git a/application/itopwebpage.class.inc.php b/application/itopwebpage.class.inc.php index 328a472de..fdd00e4a1 100644 --- a/application/itopwebpage.class.inc.php +++ b/application/itopwebpage.class.inc.php @@ -60,8 +60,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage // Create a breadcrumb entry for the current page, but get its title as late as possible (page title could be changed later) $this->bBreadCrumbEnabled = true; } - else - { + else { $this->bBreadCrumbEnabled = false; } @@ -71,9 +70,7 @@ class iTopWebPage extends NiceWebPage implements iTabbedPage $this->m_aMessages = array(); $this->SetRootUrl(utils::GetAbsoluteUrlAppRoot()); $this->add_header("Content-type: text/html; charset=".self::PAGES_CHARSET); - $this->add_header('Cache-control: no-cache, no-store, must-revalidate'); - $this->add_header('Pragma: no-cache'); - $this->add_header('Expires: 0'); + $this->no_cache(); $this->add_xframe_options(); $this->add_linked_stylesheet("../css/jquery.treeview.css"); $this->add_linked_stylesheet("../css/jquery.autocomplete.css"); diff --git a/application/loginwebpage.class.inc.php b/application/loginwebpage.class.inc.php index d3f0c6cde..db06af42b 100644 --- a/application/loginwebpage.class.inc.php +++ b/application/loginwebpage.class.inc.php @@ -84,9 +84,7 @@ class LoginWebPage extends NiceWebPage parent::__construct($sTitle); $this->SetStyleSheet(); - $this->add_header('Cache-control: no-cache, no-store, must-revalidate'); - $this->add_header('Pragma: no-cache'); - $this->add_header('Expires: 0'); + $this->no_cache(); $this->add_xframe_options(); } diff --git a/application/webpage.class.inc.php b/application/webpage.class.inc.php index 111bc43f5..15beec651 100644 --- a/application/webpage.class.inc.php +++ b/application/webpage.class.inc.php @@ -507,7 +507,6 @@ class WebPage implements Page $this->add_header('Cache-control: no-cache, no-store, must-revalidate'); $this->add_header('Pragma: no-cache'); $this->add_header('Expires: 0'); - $this->add_xframe_options(); //FIXME shouldn't be done here !!!!! } /** diff --git a/application/xmlpage.class.inc.php b/application/xmlpage.class.inc.php index 0ac2dcc6d..ce98884a1 100644 --- a/application/xmlpage.class.inc.php +++ b/application/xmlpage.class.inc.php @@ -43,9 +43,7 @@ class XMLPage extends WebPage $this->m_bPassThrough = $bPassThrough; $this->m_bHeaderSent = false; $this->add_header("Content-type: text/xml; charset=".self::PAGES_CHARSET); - $this->add_header('Cache-control: no-cache, no-store, must-revalidate'); - $this->add_header('Pragma: no-cache'); - $this->add_header('Expires: 0'); + $this->no_cache(); $this->add_xframe_options(); $this->add_header("Content-location: export.xml"); } diff --git a/core/spreadsheetbulkexport.class.inc.php b/core/spreadsheetbulkexport.class.inc.php index a742bc780..36e97f05f 100644 --- a/core/spreadsheetbulkexport.class.inc.php +++ b/core/spreadsheetbulkexport.class.inc.php @@ -199,8 +199,8 @@ EOF // Integration within MS-Excel web queries + HTTPS + IIS: // MS-IIS set these header values with no-cache... while Excel fails to do the job if using HTTPS // Then the fix is to force the reset of header values Pragma and Cache-control - $oPage->add_header("Pragma:", true); - $oPage->add_header("Cache-control:", true); + $oPage->add_header("Pragma:"); + $oPage->add_header("Cache-control:"); } public function GetHeader() diff --git a/datamodels/2.x/combodo-db-tools/dbtools.php b/datamodels/2.x/combodo-db-tools/dbtools.php index 869c4d337..40822becb 100644 --- a/datamodels/2.x/combodo-db-tools/dbtools.php +++ b/datamodels/2.x/combodo-db-tools/dbtools.php @@ -212,9 +212,9 @@ function DisplayInconsistenciesReport($aResults) header('Content-Description: File Transfer'); header('Content-Type: multipart/x-zip'); header('Content-Disposition: inline; filename="'.basename($sZipReport).'"'); - header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); + header('Expires: 0'); header('Content-Length: '.filesize($sZipReport)); readfile($sZipReport); unlink($sZipReport); diff --git a/datamodels/2.x/itop-attachments/ajax.itop-attachment.php b/datamodels/2.x/itop-attachments/ajax.itop-attachment.php index b603773f1..6ad463491 100644 --- a/datamodels/2.x/itop-attachments/ajax.itop-attachment.php +++ b/datamodels/2.x/itop-attachments/ajax.itop-attachment.php @@ -61,7 +61,6 @@ try LoginWebPage::DoLoginEx(null /* any portal */, false); $oPage = new ajax_page(""); - $oPage->no_cache(); $sOperation = utils::ReadParam('operation', ''); diff --git a/datamodels/2.x/itop-backup/ajax.backup.php b/datamodels/2.x/itop-backup/ajax.backup.php index 528a48916..754a1ba17 100644 --- a/datamodels/2.x/itop-backup/ajax.backup.php +++ b/datamodels/2.x/itop-backup/ajax.backup.php @@ -51,7 +51,6 @@ function DisplayErrorAndDie($oPage, $sHtmlErrorMessage, $exitCode = null) $sOperation = utils::ReadParam('operation', ''); $oPage = new ajax_page(''); -$oPage->no_cache(); $oPage->SetContentType('text/html'); diff --git a/datamodels/2.x/itop-hub-connector/ajax.php b/datamodels/2.x/itop-hub-connector/ajax.php index f9e44d81e..b83977e59 100644 --- a/datamodels/2.x/itop-hub-connector/ajax.php +++ b/datamodels/2.x/itop-hub-connector/ajax.php @@ -111,7 +111,6 @@ function DoBackup($sTargetFile) function ReportStatus($sMessage, $bSuccess, $iErrorCode = 0, $aMoreFields = array()) { $oPage = new ajax_page(""); - $oPage->no_cache(); $oPage->SetContentType('application/json'); $aResult = array( 'code' => $iErrorCode, diff --git a/datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php b/datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php index 1a01bc88f..1ee703e02 100644 --- a/datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php +++ b/datamodels/2.x/itop-hub-connector/hubconnectorpage.class.inc.php @@ -6,9 +6,7 @@ class HubConnectorPage extends NiceWebPage { parent::__construct($sTitle); - $this->add_header('Cache-control: no-cache, no-store, must-revalidate'); - $this->add_header('Pragma: no-cache'); - $this->add_header('Expires: 0'); + $this->no_cache(); $this->add_xframe_options(); $sImagesDir = utils::GetAbsoluteUrlAppRoot().'images'; diff --git a/pages/ajax.csvimport.php b/pages/ajax.csvimport.php index e833817e4..ed4138e3a 100644 --- a/pages/ajax.csvimport.php +++ b/pages/ajax.csvimport.php @@ -242,7 +242,6 @@ try { case 'parser_preview': $oPage = new ajax_page(""); - $oPage->no_cache(); $oPage->SetContentType('text/html'); $sSeparator = utils::ReadParam('separator', ',', false, 'raw_data'); if ($sSeparator == 'tab') $sSeparator = "\t"; diff --git a/pages/ajax.document.php b/pages/ajax.document.php index 732130189..dada3ad23 100644 --- a/pages/ajax.document.php +++ b/pages/ajax.document.php @@ -38,7 +38,6 @@ try require_once(APPROOT.'/application/loginwebpage.class.inc.php'); $oPage = new ajax_page(""); - $oPage->no_cache(); $operation = utils::ReadParam('operation', ''); $sClass = utils::ReadParam('class', 'MissingAjaxParam', false, 'class'); diff --git a/pages/ajax.render.php b/pages/ajax.render.php index e15a8f621..0881a155e 100644 --- a/pages/ajax.render.php +++ b/pages/ajax.render.php @@ -68,8 +68,6 @@ try LoginWebPage::DoLoginEx($sRequestedPortalId, false); $oPage = new ajax_page(""); - $oPage->no_cache(); - $sFilter = utils::ReadParam('filter', '', false, 'raw_data'); $sEncoding = utils::ReadParam('encoding', 'serialize'); @@ -889,13 +887,12 @@ try case 'chart': // Workaround for IE8 + IIS + HTTPS // See TRAC #363, fix described here: http://forums.codecharge.com/posts.php?post_id=97771 - $oPage->add_header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); $oPage->add_header("Cache-Control: cache, must-revalidate"); $oPage->add_header("Pragma: public"); + $oPage->add_header("Expires: Fri, 17 Jul 1970 05:00:00 GMT"); $aParams = utils::ReadParam('params', array(), false, 'raw_data'); - if ($sFilter != '') - { + if ($sFilter != '') { $oFilter = DBSearch::unserialize($sFilter); $oKPI = new ExecutionKPI(); $oDisplayBlock = new DisplayBlock($oFilter, 'chart_ajax', false); diff --git a/pages/ajax.searchform.php b/pages/ajax.searchform.php index 99cfeda1f..cf6ebae27 100644 --- a/pages/ajax.searchform.php +++ b/pages/ajax.searchform.php @@ -49,7 +49,6 @@ try } $oPage = new ajax_page(""); - $oPage->no_cache(); $oPage->SetContentType('text/html'); $sListParams = utils::ReadParam('list_params', '{}', false, 'raw_data'); diff --git a/setup/email.test.php b/setup/email.test.php index dc7f22770..45f5a2fb8 100644 --- a/setup/email.test.php +++ b/setup/email.test.php @@ -255,11 +255,12 @@ try break; case 'step2': - $oP->no_cache(); - $sTo = Utils::ReadParam('to', '', false, 'raw_data'); - $sFrom = Utils::ReadParam('from', '', false, 'raw_data'); - DisplayStep2($oP, $sFrom, $sTo); - break; + $oP->no_cache(); + $oP->add_xframe_options('DENY'); + $sTo = Utils::ReadParam('to', '', false, 'raw_data'); + $sFrom = Utils::ReadParam('from', '', false, 'raw_data'); + DisplayStep2($oP, $sFrom, $sTo); + break; default: $oP->error("Error: unsupported operation '$sOperation'"); diff --git a/sources/application/TwigBase/Controller/Controller.php b/sources/application/TwigBase/Controller/Controller.php index 68b0e8887..8243f7bfe 100644 --- a/sources/application/TwigBase/Controller/Controller.php +++ b/sources/application/TwigBase/Controller/Controller.php @@ -435,18 +435,16 @@ abstract class Controller $sFileMimeType = utils::GetFileMimeType($sFilePath); header('Content-Type: '.$sFileMimeType); - if ($bFileTransfer) - { + if ($bFileTransfer) { header('Content-Description: File Transfer'); header('Content-Disposition: inline; filename="'.$sDownloadArchiveName); } - header('Expires: 0'); header('Cache-Control: must-revalidate'); header('Pragma: public'); + header('Expires: 0'); - foreach ($aHeaders as $sKey => $sValue) - { + foreach ($aHeaders as $sKey => $sValue) { header($sKey.': '.$sValue); } diff --git a/test/benchmark.php b/test/benchmark.php index 4a9997bd7..96f0f8ea0 100644 --- a/test/benchmark.php +++ b/test/benchmark.php @@ -782,14 +782,15 @@ try case 'create_structure': $oP->no_cache(); - $iPlannedContacts = Utils::ReadParam('plannedcontacts'); - $iPlannedContracts = Utils::ReadParam('plannedcontracts'); + $oP->add_xframe_options('DENY'); + $iPlannedContacts = Utils::ReadParam('plannedcontacts'); + $iPlannedContracts = Utils::ReadParam('plannedcontracts'); - $oDataCreation = new BenchmarkDataCreation(); - $oDataCreation->PlanStructure($iPlannedContacts, $iPlannedContracts); - $oDataCreation->ShowPlans($oP); - $oDataCreation->ShowForm($oP, 'create_structure_go'); - break; + $oDataCreation = new BenchmarkDataCreation(); + $oDataCreation->PlanStructure($iPlannedContacts, $iPlannedContracts); + $oDataCreation->ShowPlans($oP); + $oDataCreation->ShowForm($oP, 'create_structure_go'); + break; case 'create_structure_go': $oP->no_cache(); diff --git a/webservices/export.php b/webservices/export.php index 56a7f16f6..5dea33432 100644 --- a/webservices/export.php +++ b/webservices/export.php @@ -190,24 +190,23 @@ if (!empty($sExpression)) { case 'html': $oP = new NiceWebPage("iTop - Export"); - $oP->add_style('body { overflow: auto; }'); // Show scroll bars if needed - $oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/all.min.css'); - $oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/v4-shims.min.css'); - - // Integration within MS-Excel web queries + HTTPS + IIS: - // MS-IIS set these header values with no-cache... while Excel fails to do the job if using HTTPS - // Then the fix is to force the reset of header values Pragma and Cache-control - header("Pragma:", true); - header("Cache-control:", true); + $oP->add_style('body { overflow: auto; }'); // Show scroll bars if needed + $oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/all.min.css'); + $oP->add_linked_stylesheet(utils::GetAbsoluteUrlAppRoot().'css/font-awesome/css/v4-shims.min.css'); - // The HTML output is made for pages located in the /pages/ folder - // since this page is in a different folder, let's adjust the HTML 'base' attribute - // to make the relative hyperlinks in the page work - $sUrl = utils::GetAbsoluteUrlAppRoot(); - $oP->set_base($sUrl.'pages/'); + // Integration within MS-Excel web queries + HTTPS + IIS: + // MS-IIS set these header values with no-cache... while Excel fails to do the job if using HTTPS + // Then the fix is to force the reset of header values Pragma and Cache-control + header("Cache-control:", true); + header("Pragma:", true); - if(count($aFields) > 0) - { + // The HTML output is made for pages located in the /pages/ folder + // since this page is in a different folder, let's adjust the HTML 'base' attribute + // to make the relative hyperlinks in the page work + $sUrl = utils::GetAbsoluteUrlAppRoot(); + $oP->set_base($sUrl.'pages/'); + + if (count($aFields) > 0) { $iSearch = array_search('id', $aFields); if ($iSearch !== false) {